Puppet integration with SecretServer (Thycotic)

[Steve Shipway]

I've done some more development on my Puppet module that handles password integration with Secret Server from Thycotic, and now it handles certificates as well.

This allows you to have a 'password' define that ensures the password is stored in SecretServer, and changes it on a regular basis:

password { 'root': maxage=>60; }
password { 'oracle': }

Also now you can manage certificates, and it will install and update them:

ssl::cert { $fqdn: }
ssl::cert { 'foo.company.com': key=>'/usr/local/ssl/foo.key', crt=>'/usr/local/ssl/foo.crt'; }

The module will retrieve the certificate and key from SecretServer, then optionally restart Apache after installing them.  You can override this behaviour, or specify a different location for the files than the default of /etc/httpd/conf.
It can also work from files instead of secretserver if necessary.

This requires SecretServer 7.6 or later (for the certificates) and 7.0 or later (for passwords).  There is also a ruby module (secretserver.rb) that needs to be installed, as well as Ruby Gems and the 'savon' gem.

I'm working on wrapping the two up into a 'secretserver' module and uploading to moduleforge.

If anyone would like a copy, let me know.

Steve

Steve Shipway

University of Auckland ITS

UNIX Systems Design Lead

s.sh...@auckland.ac.nz

Ph: +64 9 373 7599 ext 86487

 

[Daniel Pittman]

On Mon, Dec 12, 2011 at 18:47, Steve Shipway <s.sh...@auckland.ac.nz> wrote:

G'day Steve.

> I've done some more development on my Puppet module that handles password
> integration with Secret Server from Thycotic, and now it handles
> certificates as well.

That is pretty darn awesome - lots of people out there want some sort
of solution to this, and when I looked the Thycotic solution seemed
pretty solid. Does this work with the hosted service as well as the
in-house service?

(Not that I can imagine ever using the hosted service, but it might
make sense in some folks threat models. ;)

> This allows you to have a 'password' define that ensures the password is
> stored in SecretServer, and changes it on a regular basis:
>
> password { 'root': maxage=>60; }
> password { 'oracle': }
>
> Also now you can manage certificates, and it will install and update them:
>
> ssl::cert { $fqdn: }
> ssl::cert { 'foo.company.com': key=>'/usr/local/ssl/foo.key',
> crt=>'/usr/local/ssl/foo.crt'; }
>
> The module will retrieve the certificate and key from SecretServer, then
> optionally restart Apache after installing them.  You can override this
> behaviour, or specify a different location for the files than the default of
> /etc/httpd/conf.
> It can also work from files instead of secretserver if necessary.

That looks pretty reasonable, but there are a couple of points that I
wondered at - and so, I wanted to take a look at the code and help
this be absolutely awesome!

> If anyone would like a copy, let me know.

Do you have the code in GitHub or somewhere like that, where I can have a look?

Is this the best email address to send any suggestions about improvements?

Would you accept pull requests or whatever?

Again, this looks absolutely awesome, and I would love to make it
something that everyone wanted to use.

Daniel
--
⎋ Puppet Labs Developer – http://puppetlabs.com
♲ Made with 100 percent post-consumer electrons